143 million people were affected by the Equifax data breach that occurred between mid-May and late-July 2017, but was only announced on September 7th. Names, social security numbers, birth dates, addresses, credit card information and driver’s license numbers were stolen, meaning years of potential problems for those affected. The hack will cast a shadow over all consumer credit reporting agencies but, in reality, the darkness should extend much further to include, among other things, our smart buildings.
“Building management systems may also be vulnerable. There isn’t really the profit motive to interrupting building management but, for example air conditioning, heating, elevators can be hacked. And so that’s another layer for commercial real estate companies to be aware of and protect,” said Leo Taddeo, chief information security officer at Cyxtera Technologies.
Smart buildings combine operational technology (OT) and information technology (IT), as well as IoT devices, which creates a unprecedented level of complexity for those assigned to protect facilities. Despite the significant advancements that have been made for cyber security in smart buildings, current offerings are not fully equipped to address this new, broad attack surface effectively. Furthermore, there is a fundamental lack of understanding from building managers and users desperately trying to keep up with the cyber world they now find themselves in.
“One of the biggest issues is organizations just trying to get their hands around the complexity [of cyber security], especially larger organizations. Understanding and kind of peeling apart the layers of understanding how to protect [the network],” states Neil Wright, Hill Top Securities’ Chief Technology Officer.
It is not as simple as just developing technical cyber security layers, which in itself is not easy, but also about educating all the users of digital technology, meaning all occupants and visitors in the case of smart buildings. Anyone who uses a computer connected to the networks within a building needs an understanding of cyber security in order to avoid causing a breach, even those who bring in their own devices such as laptops, tablets and smartphones.
We need to develop a culture of cyber security, as discussed at length in our interview with David Emm Principal Security Researcher with Kaspersky Labs’ Global Research & Analysis Team.
“Some of the very basic [threats] are phishing and spear phishing. These are becoming more sophisticated. These are emails where they’re sending links or sending a document. You take some action that will infect your laptop, your desktop and it will perpetuate itself and move across the desktop. It can be as simple as reconnaissance and as complicated as taking a lot of data,” Wright explained.
In our emerging cyber-physical world, cyber security companies are having to adapt to the real world too. What good is a building’s wireless network if it can be intercepted by someone on the street? Facilities handling sensitive information are now being equipped with walls that have electromagnetic shielding and filtered power, which aims to prevent cyber hacking devices from penetrating physical walls. These Sensitive Compartmented Information Facilities (SCIF) were originally developed during WWII but are now being reinvented to secure modern smart buildings.
The scale of the Equifax data breach does have the potential to change things though, just as the Enron scandal did years ago. Mark Grossman, technology lawyer at Tannenbaum Helpern Syracuse & Hirschtritt thinks the Equifax hack will lead to a new federal law that governs cyber security, and in a fashion that could change the way many firms do business.
“Right now there’s really nothing in place, so I could foresee something like what we have right now where Enron led to increased regulation. So this is what we might expect here, regulation that requires CEOs, CIOs to sign off on cyber security, security controls, hacking attempts that have occurred, breaches that have occurred, weaknesses and maybe addressing recommendations for the future,” Grossman said. “What I don’t expect to see are specific mandated requirements. You don’t want to do that because if you lock it down, in six months it could be horrifically outdated.”
And that’s just the problem with our increasingly digital society in the all encompassing data age, we may create cyber security that protects us today but eventually hackers will find a way around it. The dynamic cyber security landscape is constantly evolving like a game of cat and mouse between hackers and cyber security professionals.
It won’t worry the cyber security industry as a whole of course, while individual players may suffer if they fail to stay on top of the situation; competent companies and the sector in general will only grow as we become more vulnerable from digital integration. JLL predicts the cyber security market will grow from $138 billion in 2017 to $232 billion by 2022, that’s almost $100 billion in just five years.
Our own research, Cyber Security in Smart Commercial Buildings 2017 to 2021 estimates that global revenues for smart building cyber security will reach $8.65 billion by 2021, up from an estimated $ 4.26 billion in 2016, representing a CAGR of over 15% over the forecast period.
In the smart building sector, we can fight back with physical elements. Grossman expects cyber security in buildings to get a lot more personal in the near future. “I see us moving away from a card we wave at a device to a retinal scan, a fingerprint identification. Something biometric. The technology exists, it’s just a matter of implementing it,” he said. “You want the building to recognize you.”
The Equifax hack serves as another reminder that our modern society is increasingly vulnerable to cyber attack. If smart buildings, cities and grids hope to succeed in providing us with a secure environment, they will need to take the threat of cyber attacks much more seriously than we see today.